近年來，資安問題越來越受到重視，企業及政府機關遭駭客入侵的案例時有所聞。攻擊者在透過網路釣魚、零時差攻擊等方式取得內網存取權限後，便會進行內網的掃描及滲透，再透過開採其他的漏洞或是 SSH、RDP 等遠端連線協定移動到其他主機以取得更高權限及更多的機敏資料，例如帳號密碼、原始碼或公司的其他財產。這樣的攻擊行為稱為「橫向移動」，常導致政府或企業的重大損失，也是攻擊者典型的行為。

橫向移動通常包括了使用者身分轉換、不尋常的登入行為等特徵。利用這些特徵，我們提出 LMHound，用來偵測內網的橫向移動。除了伺服器端的登入日誌之外，我們加入了客戶端的網路連線日誌及行程等資訊，用來關聯登入行為，提高示警的準確度和降低偽陽性的機率，並實作於企業及政府單位中常見的 Linux 及 Windows 系統。最後，我們在一個公開的資料集中進行模擬，實驗結果顯示系統的偵測率可以達到 98.9% 並只有 0.0025 的偽陽率。

In recent years, information security issues have been paid more and more attention to, and cases of enterprises and government agencies being hacked by hackers have been reported from time to time. After the attacker gains access to an organization's intranet through phishing, zero-day attack, etc., they scan the internal network and move to other hosts laterally by simply logging in or exploiting vulnerabilities to obtain more sensitive information, such as account credentials, source codes, or organization property. This attack is called "lateral movement" which can cause significant losses to organizations and is a typical attack behavior of hackers.

Lateral movement typically includes user identity switching and unusual login behavior. Using these signatures, we propose LMHound to detect lateral movement in the intranet. In addition to the server-side login logs, we correlate client-side network connection logs and process information to login events, improving the accuracy of our system and reducing the probability of false positives. We have implemented it on Linux and Windows, the most common operating systems used by enterprises and government organizations. Finally, we evaluated LMHound using simulations on a publicly available dataset. The results show that LMHound can detect 98.9% of the simulated attacks with a false positive rate of 0.0025.

[1] CheckPoint,“Check point research: Third quarter of 2022 reveals increase in cyberattacks and unexpected developments in global trends.”https://blog.checkpoint.com/2022/10/26/third-quarter-of-2022-reveals-increase-in-cyberattacks/, 2022.

[2] M. Clark and Sysdig, “2022 threat report: Cloud-native threats are increasing and maturing.” https://cloudsecurityalliance.org/blog/2022/11/04/2022-threat-report-cloud-native-threats-are-increasing-and-maturing/, nov 2022

[3] SonicWall, “2022 sonicwall cyber threat report.” https://www.sonicwall.com/2022-cyber-threat-report/, 2022.

[4] L. Martin, “The cyber kill chain.” https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.

[5] G. Ho, M. Dhiman, D. Akhawe, V. Paxson, S. Savage, G. Voelker, and D. Wagner, “Hopper: Modeling and detecting lateral movement (extended report),” 05 2021.

[6] M. N. Hossain, S. Sheikhi, and R. Sekar, “Combating dependence explosion in forensic analysis using alternative tag propagation semantics,” pp. 1139–1155, 2020.

[7] M. J. M. Turcotte, A. D. Kent, and C. Hash, Unified Host and Network Data Set, ch. Chapter 1, pp. 1–22. World Scientific, nov 2018.

[8] Y. Shen, E. Mariconti, P. A. Vervier, and G. Stringhini, “Tiresias: Predicting security events through deep learning,” p. 592–605, 2018.

[9] Y. Fang, C. Wang, Z. Fang, and C. Huang, “Lmtracker: Lateral movement path detection based on heterogeneous graph embedding,” Neurocomputing, vol. 474, pp. 37–47, 2022.

[10] B. Bowman, C. Laprade, Y. Ji, and H. H. Huang, “Detecting lateral movement in enterprise computer networks with unsupervised graph ai,” 2020.

[11] H. Siadati and N. Memon, “Detecting structurally anomalous logins within enterprise networks,” p. 1273–1284, 2017.

[12] A. D. Kent, L. M. Liebrock, and J. C. Neil, “Authentication graphs: Analyzing user behavior within an enterprise network,” Computers & Security, vol. 48, pp. 150–166, 2015.

[13] A. Bohara, M. A. Noureddine, A. Fawaz, and W. H. Sanders, “An unsupervised multi-detector approach for identifying malicious lateral movement,” pp. 224–233, 2017.

[14] F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing, and D. Meng, “Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise,” p. 1777–1794, 2019.

[15] S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, “Holmes: Real-time apt detection through correlation of suspicious information flows,” pp. 1137–1152, 2019.

[16] Q. Liu, J. W. Stokes, R. Mead, T. Burrell, I. Hellen, J. Lambert, A. Marochko, and W. Cui, “Latte: Large-scale lateral movement detection,” pp. 1–6, 2018.

[17] A. Fawaz, A. Bohara, C. Cheh, and W. H. Sanders, “Lateral movement detection using distributed data fusion,” pp. 21–30, 2016.

[18] M. Russinovich and T. Garnier, “Sysmon.” https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon.

[19] Microsoft, “4769(s, f): A kerberos service ticket was requested..” https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769.

[20] Microsoft, “4624(s): An account was successfully logged on..” https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624.

[21] Gramelot, “Network information missing in event id 4624.” https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity.

[22] iovisor, “Bpf compiler collection (bcc).” https://github.com/iovisor/bcc.

[23] eBPF official website, “ebpf.” https://ebpf.io/.

[24] G. Ho, “Lateral movement simulator.” https://github.com/grantho/lateral-movement-simulator.